System, method, and apparatus to mitigate and or prevent autonomous vehicle misuse through the use of security enabled sensors

ABSTRACT

Methods and systems for implementing autonomous vehicle security features. The present invention details an effective and secure methodology to implement the external management and control of autonomous vehicles by authorized personnel, usually law enforcement, through the use of intelligent sensors that can override an autonomous vehicle controller&#39;s functionality as necessary.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation application of U.S. patentapplication Ser. No. 16/244,092, filed Aug. 1, 2019 which claimspriority to U.S. Provisional Application No. 62/710,221, filed Feb. 14,2018, U.S. Provisional Application No. 62/762,453, filed May 7, 2018,the disclosures of which are incorporated by reference herein in theirentirety.

TECHNICAL FIELD

The present invention relates generally to an improved data processingsystem and in particular to a method and apparatus for implementingsecurity features using Autonomous Vehicle (AV) sensors. Still moreparticularly, the present invention provides for dedicated or integratedsensors that allow override of vehicle functions by authorizedpersonnel, specifically allowing the shutdown and/or management of an AVby external means.

BACKGROUND OF THE INVENTION

The field of autonomous vehicle control is currently emerging as apromising technology that can reduce costs, reduce accidents and loss oflife, reduce insurance premiums, increase productivity for workers intransit and potentially eliminate drunk driving and the associatedlosses; however, recent misuse of vehicles by terrorists demands thatthe technology be proactive to develop a comprehensive threat model, aswell as mitigation and prevention methodologies rather than reacting tothe consequences.

Autonomous vehicles are categorized by the Society of AutomotiveEngineers (SAE) in specification J3016, Autonomy Levels as follows:

-   -   Level 0: Automated system issues warnings and may momentarily        intervene but has no sustained vehicle control.    -   Level 1: Driver and automated system shares control over the        vehicle. An example would be Adaptive Cruise Control (ACC) where        the driver controls steering and the automated system controls        speed. Using Parking Assistance, steering is automated while        speed is manual. The driver must be ready to retake full control        at any time.    -   Level 2: The automated system takes full control of the vehicle        accelerating, braking, and steering. The driver must monitor the        driving and be prepared to immediately intervene at any time if        the automated system fails to respond properly.    -   Level 3: The driver can safely turn their attention away from        the driving tasks, e.g. the driver can text or watch a movie.        The vehicle will handle situations that call for an immediate        response, like emergency braking. The driver must still be        prepared to intervene within some limited time when called upon        by the vehicle to do so (specified by the manufacturer).    -   Level 4: As level 3, but no driver attention is ever required        for safety, i.e. the driver may safely go to sleep or leave the        driver's seat. Self driving is supported only in limited areas        or under special circumstances, like traffic jams. Outside of        these areas or circumstances, the vehicle must be able to safely        abort the trip, i.e. park the car, if the driver does not retake        control.    -   Level 5: No human intervention is required. e.g., robotic taxi.

Because of this recent technology's development, there are currently fewcommercially available autonomous vehicles available for sale worldwide,however, the very nature of an autonomous vehicle provides a largemeasure of anonymity and therefore the possibility of subsequent misuse.Additionally, a majority of the AVs under development are electric AVsthat are much easier to drive and therefore will provide a largerpotential for misuse. Misuse can be intentional as in the case of aterrorist's use of an autonomous truck to deliver explosive devices ormow down pedestrians in crowded venues; however, misuse can also beaccidental as in the case of sensor failure, environmental conditionsthat interfere with sensor operations, driver medical issues, failure ofmechanisms to secure vehicle loads, or third party misuse such asskitching or hooky bobbing, as well as any other of a multitude ofreal-world problems yet to be discovered.

It is clear that at AV Level 2 and above, where all control has beenrelinquished to the AV, there is the need for additional externalcontrol applied by authorized personnel, usually law enforcement, formitigating and/or preventing misuse. At Level 2 after a driver hasrelinquished control, the driver could possibly have an incapacitatingmedical event that prevents proper control of the vehicle and if noexternal stimulus can provide access to the vehicle, the driver may notreceive medical treatment promptly. As the level of autonomy increases,there are many additional factors that demand the development of acomprehensive policy and threat model, as well as mitigation andprevention methodologies. The policies and methodologies must meet allregulatory requirements for all jurisdictions where the AV is operatedas the industry is subject to many additional rules and regulations suchas required by the USG Federal Motor Carrier Safety Administration(FMCSA) e.g., Federal Motor Carrier Safety Regulations (FMCSRs).

The trucking industry is heavily regulated and in the normal course ofbusiness, Level 1 Class 8 vehicles are frequently required to stop forvarious inspections; in transit, intrastate weigh stations, border weighstations, agricultural, etc. Additionally, law enforcement is frequentlyrequired to pull these vehicles over (lawfully stop) to issue violationsfor overweight loads, safety violations, or to alert the driver thereare issues with vehicle or load. Level 5 vehicles do not magically makethese disappear, law enforcement will have the same (and possibly more)reasons to stop the vehicle.

A partial list of requirements for lawful stop and search of Level 2 andabove AVs are as follows:

-   -   A) The connection protocol must provide cryptographic mechanisms        to:        -   1) identify and authenticate the entity performing Lawful            Stop as authorized law enforcement personnel,        -   2) command messages and replies must be confidential and            free of errors,        -   3) messages must have both non-repudiation of origin and            non-repudiation of receipt    -   B) In non-emergency situations:        -   1) Indicate law enforcement's command received and action is            in progress        -   2) If message is “Stop”, the AV must safely pull off the            right of way and stop, and:            -   a) communicate with dispatch                -   i. Notify owner/operator the vehicle is being                    stopped                -   ii. Send law enforcement's credentials for records                -    1) Identification,                -    2) Method for authentication                -    3) Jurisdiction,                -    4) location and time,        -   b) communicate with law enforcement to provide any necessary            information,        -   3) possibly relinquish control of vehicle to law            enforcement,        -   4) unlock cargo compartment upon request for inspection,        -   5) lock cargo compartment,        -   6) safely retake control of the vehicle,        -   7) safely resume operation,    -   C) If message is “EmergencyStop”, the AV must apply all means to        stop immediately,    -   D) Obey all “Fence” commands immediately by requesting reroute        map and immediately reroute around restricted area.

Currently, the lawful stop of a vehicle depends on visual verificationof law enforcement, i.e., the police vehicle, police uniform and thebadge; unfortunately, unmarked police cars and a rising mistrust of lawenforcement makes these inadequate, if a computer could perform theseactions. The opportunity to improve these outdated metrics and move tosecure methodologies requires that Level 2 and above autonomous vehiclesuse the best technology available and that was designed to provide lawenforcement's identification and authentication, message integrity,message confidentiality, non-repudiation of origin and non-repudiationof receipt.

The current marketing blitz being waged by more than 20 AV manufacturersdoesn't discuss AV Control System security, the use of recognizedinternational standards for software development or the testingmethodologies of the AV control system. They certainly don't disclosethe dangers posed to the public by AVs used responsibly, or under normalmisuse cases, or much less, the use of these vehicles by terrorists.Without secure control systems, i.e., developed with secure developmentpractices, tested, evaluated and approved by third party experts, AVsare easily usable by terrorists as delivery programs for weapons.

Therefore, all Level 2 and above AVs must implement lawful stop andsearch that is independent of the vehicle's controller. Because allcomputer systems are much more vulnerable to exploit when an attackerhas physical control of the device, the lawful controller must beimplemented in a tamper-proof enclosure, as should the vehiclecontroller, sensor system, and all sensor wiring. It is recommended thata FIPS 140-2 Level 4 specification be used for guidance.

Additionally, the software and hardware should be subject to review bythird party experts; it is suggested as a minimum that they undergo aCommon Criteria evaluation as well as FIPS 140-2 Level 4 certification.

Most importantly, lawful stop and search must take into account that anyLevel 2 and above AV can be effectively used as a terrorist's weaponacting a great distance. When contemplating the use of Class 8 AVs as aweapon, the true gravity of the situation appears clear, an 80,000 lbweapon is frightening and cannot be ignored.

It is readily apparent that many threats and extensive regulations arepresent, but unsolved for this emerging technology; therefore, it wouldbe advantageous to have an improved method and apparatus to preventautonomous vehicle misuse.

SUMMARY OF THE INVENTION

The present invention provides a system, method and apparatus to preventautonomous vehicle misuse. The exemplary aspects of the presentinvention details an effective and secure methodology to implement theexternal management and/or shutdown of autonomous vehicles by authorizedpersonnel through the use of intelligent sensors that can overridefunctionality as necessary.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features believed characteristic of the invention are setforth in the appended claims; however, the invention itself, as well asa preferred mode of use, further objectives and advantages thereof, willbest be understood by reference to the following detailed description ofan illustrative embodiment when read in conjunction with theaccompanying drawings, wherein:

FIG. 1 is a block diagram showing a typical Autonomous Vehicle with AVController and Sensor System in which the present invention may beimplemented;

FIG. 2 is a block diagram showing details of a typical AutonomousVehicle Controller and Support Systems in which the present inventionmay be implemented;

FIG. 3 depicts a handheld Lawful Stop and Search (LSS) illuminator;

FIG. 4 depicts a car mounted Lawful Stop and Search (LSS) illuminator;

FIG. 5 depicts a helicopter mounted Lawful Stop and Search (LSS)illuminator;

FIG. 6 is a diagram depicting a Fixed LSS Fence, an electronic fenceusing Lawful Stop and Search (LSS) illuminators;

FIG. 7 is a diagram depicting the two way communications where the LSSIlluminator, acting as a client, communicates with a LSS AV OverrideSystem Controller, acting as the server, i.e., actively listening for anilluminator;

FIG. 8 is a block diagram of an example LSS illuminator electronics;

FIG. 9 is a block diagram of an example LSS Manual Controllerelectronics;

FIG. 10 is a block diagram of an example LSS AV Override SystemController electronics;

FIG. 11 is a block diagram showing details of a LSS Override SystemController interfaces to a typical Autonomous Vehicle Controller;

FIG. 12 is a diagram depicting a driver-less AV with wired LSS ManualController; and

FIG. 13 is a diagram depicting a driver-less AV with wireless LSS ManualController;

DETAILED DESCRIPTION OF THE INVENTION

With reference now to the figures, and in particular with reference toFIG. 1, a block diagram depicting a typical Autonomous Vehicle (AV) withAV Controller and Sensor System 100 in which the present invention maybe implemented. Those of ordinary skill in the art will appreciate thatthe AV Controller and the sensor systems may vary according to themanufacturer, design requirements, requirements mandated by local andfederal regulatory bodies, as well as intended usage. Depicted in FIG. 1is an autonomous vehicle with AV Controller 130 and the various sensorscurrently being designed for autonomous vehicles; direction of forwardtravel is indicated by arrow. These diagrams show long range radarsensor coverage 101, medium radar coverage 104, 105, and 106, cameracoverage 102, short range radar coverage 103, ultrasonic sensor coverage110, 111, 112, 113,114, and 115, and omnidirectional sensor coverage 120generated by the omnidirectional sensor 132. The omnidirectional sensormay represent a GPS/GNSS, LIDAR, V2X, LSS, RF, or a combination of these(or other technology types). i.e., an AV could support multipleomnidirectional technologies each having dedicated sensors, or sensorsintegrated with multiple technologies. A LSS (Lawful Stop and Search)sensor, either dedicated or integrated with other sensor technology maybe implemented as a single mode or as a multi-mode sensor as designdemands.

With reference now to FIG. 2, a block diagram depicting a typicalAutonomous Vehicle (AV) Controller and Support Systems 200 in which thepresent invention may be implemented. Those of ordinary skill in the artwill appreciate that the AV Controller and Support systems may varyaccording to the manufacturer, design requirements, requirementsmandated by local and federal regulatory bodies, as well as intendedusage. Depicted in FIG. 2 is the autonomous vehicle controller processorsubsystem 201 providing the main processing resources and externalinterface, the User Interface 203 that provides possible manualinterfaces to the controller. Additionally shown are the followingsystems, the Brake Controller & Brake System 205, Radio Controller &Radio System 207, Steering Controller & Steering System 209, SensorControllers 211, Drive Motor Controller & Drive Motor System 213, GPSController & GPS System 215, Lighting Controller & Lighting System 217,Other Systems Controller & Systems 219. The External Control Interfaces221 and 223 provide both normal control interfaces 223 and emergencycontrol interfaces 221 to the AV Controller. The normal controlinterface 223 interfaces directly with the AV Controller ProcessorSubsystem 210 and allows an external controller override the normalautonomous operations. The emergency control interface 221 bypasses theAV Controller Processor Subsystem 210 and interfaces directly to theBrake Controller & Brake System 205, Steering Controller & SteeringSystem 209 and Drive Motor Controller & Drive Motor System 213.

With reference now to FIGS. 3, 4, 5 and 6, depictions of a LSS handheldilluminator, a LSS Car Mounted illuminator, a LSS Helicopter Mountedilluminator, and a fixed LSS Fence, in accordance with a preferredembodiment of the present invention. Those of ordinary skill in the artwill appreciate that the LSS Car Mounted illuminator and the LSSHelicopter Mounted illuminator will require external mounts that haveazimuth and elevation control for pointing; however, this is beyond thescope of the present invention. Typically, law enforcement personnelwill operate the LSS illuminators as part of an intervention processwhen an AV must be stopped for inspection or where other means havefailed or deemed unusable or unsafe. The LSS illuminator is used tosignal the AV that authorized personnel are overriding AV control. A LSSilluminator may be a single mode, or multi-mode device; multi-mode mayallow different modes to be selectable or all modes may be usedsimultaneously. Additionally, each Illuminator depicted may beintegrated into other systems already required; e.g. the LSS handheldilluminator could be integrated into a flashlight, the LSS Car Mountedilluminator could be integrated into the vehicle's emergency lighting.Those of ordinary skill in the art will appreciate that these modes mayvary according to the manufacturer, design requirements, requirementsmandated by local and federal regulatory bodies, as well as intendedusage and range. Typical modes would be visible laser, infrared laser,ultrasonic, Radio Frequency (RF) and/or other applicable technologies;multi-mode devices would utilize two or more of these (or two or morefrequencies), either selectably or simultaneously.

With reference now to FIG. 6 a concept drawing of a restricted areaconsisting of Restricted Roadway 312C, Pedestrian Walkways 310C and314C. These areas are protected by an electronic fence consisting of LSSIlluminators 302C, 304C, 306C, and 308C, each transmitting a “Fence”command with the GPS coordinates of the restricted area. Thesecoordinates could be the corners of the fenced area or the center andradius as design dictates. Commands are transmit periodically at a highrepetition rate during periods of usage, and may be turned offotherwise. The installation could be used to exclude AV from restrictedareas, such as large celebrations, and/or large public gatherings.

With reference now to FIG. 7, a depictions of the communications pathbetween a LSS illuminator 400 and a LSS AV Sensor 420 showing the twoway nature of communication in accordance with a preferred embodiment ofthe present invention. In this depiction, the communications may bevisible laser, infrared laser, ultrasonic, Radio Frequency (RF) and/orother applicable technologies. Those of ordinary skill in the art willappreciate that one way communication cannot provide the required levelof security to prevent LSS misuse, e.g., malicious or criminal hackingand/or pranking, load hijacking, competitor interference, etc.;therefore, a two way encrypted communication channel with mutualauthentication is established to meet the applicable standards toguarantee LSS user identification and authentication, message integrity,message confidentiality, non-repudiation of origin and non-repudiationof receipt. LSS user identification and authentication is necessary toguarantee unauthorized interference to the AV, message integrity isrequired to ensure the message is received correctly so it may beinterpreted properly, and message confidentiality is required to preventspoofing of LSS messages or other hacking techniques. Non-repudiation oforigin is required to ensure the AV's owner/dispatcher has sufficientrecords to know who and why the AV was stopped and non-repudiation ofreceipt is required so the origin (ownership) of the AV can be verified.

Depicted in FIG. 7 are LSS illuminator 400 with Transmitter (TX) 401 andReceiver (RX) 402, and LSS AV Sensor 420 with Receiver (RX) 421 andTransmitter (TX) 422. LSS AV Sensor 420 acts as a server, listening fora LSS illuminator 400 communication to be initiated via Receiver 421;its Transmitter 422 is inactive. When LSS illuminator 400 is activatedit initiates a Transport Layer Security version 1.2 (TLSv1.2) handshakewith mutual authentication; if the LSS AV Sensor 420 Receiver 421 is inits beam 410 as shown, the LSS AV Sensor 420 responds via Transmitter422 and completes the handshake. Immediately after the handshake iscompleted, the LSS illuminator 400 transmits command(s) and waits on aresponse from the LSS AV Sensor 402. When the command(s) areacknowledged, the LSS illuminator 400 issues a TLSv1.2 shutdown commandto terminate the link; this ends the TLS session. Those of ordinaryskill in the art will appreciate that protocols other than TLSv1.2 maybe used to achieve the necessary link security; however, they will alsorecognize non-repudiation of origin and non-repudiation of receipt arerequired whether provided as an extension to TLS or as part of theapplication layer.

Typical necessary commands (or their equivalent) that are envisioned arethe emergency commands, “EmergencyStop”, “Stop”, and “Fence”, and thenormal commands, “Acknowledge”, “Identify”, “Manifest”, “PullOverPark”,and “ResumeOperation”; once the AV is at a full stop, further actionscan be initiated via other communication paths. The command“EmergenctStop” is issued only when imminent danger necessitates the AVmust apply all means to halt motion; this may necessitate a separatecontrol path be implemented, one that bypasses the AV's controller andoperates directly on the motor feed and braking mechanisms. The command“Stop” is issued in situations that require immediate AV halt; however,normal safety rules remain in place except the AV does not need to cleartraffic lanes. The command “Fence” is issued in fixed locations thatrequire the AV recognize a restricted area that the AV may not enter,this command transmits the GPS coordinates of its location so the AV mayreroute. The command “Acknowledge” requires the AV respond to a sensorquery to verify the health of the LSS System. The command “Identify”requires the vehicle return AV identification data. The command“Manifest” requires the AV respond with the current vehicle manifestdata. The command “PullOverPark” is intended for normal situations wherevehicle inspection e.g., load inspection, vehicle weight, etc., or otherlawful stop of the AV is required where the AV needs to be clear trafficlanes. The command “ResumeOperation” is intended to allow the AVcontinue its operation after interruption; however, no internal AVcontrol may be applied until enabled by receipt of this command.Additionally, some commands could requires sub-commands for addedfunctionality, the “PullOverPark” command could include sub-commands toindicate why the AV was pulled over, e.g., “MobileScale”,“LoadInspection”, “EquipmentViolation”, or others as required. Those ofordinary skill in the art will appreciate that design requirements,regulatory requirements, field experience, etc., may require commands beadded, modified, and/or removed.

With reference now to FIG. 8, a block diagram illustrating components ofa LSS illuminator 500 used by authorized personnel to mitigate and/orprevent autonomous vehicle misuse is depicted in accordance with apreferred embodiment of the present invention. The LSS illuminatordescribed herein communicates directly with the LSS Sensor described inthe paragraph below. In this illustrative example, the componentsorganized into the following subsystems: processing, transmit chain,receive chain, user interface and dispatch interface. Those of ordinaryskill in the art will appreciate that the hardware depicted in FIG. 8may vary; e.g., other components may be used in the transmit and/orreceive chain, or other subsystems.

The transmit chain is comprised of Oscillator 501 which generates thecarrier frequency, the Modulator 503 which modulates the carrier,Amplifier 505 which amplifies the signal, the Transmitter 507 whichemits the modulated beam 530 intended for the LSS Sensor. The receivechain is comprised of the Receiver 515 which receives the modulated beam532 from the LSS Sensor, Signal Conditioner and Amplifier 513 whichsynchronizes to the incoming signal and amplifies to the proper level,and Demodulator 511 which recovers the information content from themodulated carrier wave and sends for processing. The processing chain iscomprised of Processor 509, and the RAM/NVRAM 517. The Processor 509performs all processing tasks including generating transmit signals,interpreting receive signals, user input/output functions, andinterfacing to dispatch; it interfaces to RAM/NVRAM 517 where programand data are stored, interfaces to USB Interface 521 which providesmeans to load necessary system data, reads User Input 519, drives StatusIndicators 523, and drives the Dispatch Interface 525 which insures alldevice (LSS Illuminator) usage is externally monitored to preserve usagerecords. Optionally, for electronic fence applications, a GPS Receiver527 and GPS Antenna 529 can be integrated. It is recommendedhigh-accuracy GPS be implemented.

With reference now to FIG. 9, a diagram illustrating components of anLSS Manual Controller 600 intended to communicate with the AV and usedto manage the autonomous vehicle is depicted in accordance with apreferred embodiment of the present invention. The LSS Manual Controllerdescribed herein communicates directly with the LSS AV Override Systemvia an attached cable or by wireless link; the details of cable orwireless link are not illustrated. In this illustrative example, thecomponents organized into the following subsystems: processing, transmitchain, receive chain, and user interface. Those of ordinary skill in theart will appreciate that the hardware depicted in FIG. 9 may vary; e.g.,other components may be used in the transmit and/or receive chain, orother subsystems.

The transmit chain is comprised of Oscillator 601 which generates thecarrier frequency, the Modulator 603 which modulates the carrier,Amplifier 605 which amplifies the signal, the Transmitter 607 whichemits the modulated signal 630 to the LSS AV Override System, either viawired or wireless means. The receive chain is comprised of the Receiver615 which receives the modulated signal 632 from the LSS AV OverrideSystem, again, either via wired or wireless means, Signal Conditionerand Amplifier 613 which synchronizes to the incoming signal andamplifies to the proper level, and Demodulator 611 which recovers theinformation content from the modulated carrier wave and sends forprocessing. The processing chain is comprised of Processor 609, and theRAM/NVRAM 617. The Processor 609 performs all processing tasks includinggenerating transmit signals, interpreting receive signals, userinput/output functions, and interfacing to dispatch; it interfaces toRAM/NVRAM 617 where program and data are stored, interfaces to USBInterface 621 which provides means to load necessary system data, readsUser Input 619, and drives Status Indicators 623. When LSS ManualController 600 is activated it initiates a TLSv1.2 handshake with mutualauthentication; immediately after the handshake is completed, the LSSManual Controller 600 transmits command(s) and waits on a response fromthe LSS AV Override System. When the command(s) are acknowledged, theLSS Manual Controller 600 issues a TLSv1.2 shutdown command to terminatethe link; this ends the TLS session. Those of ordinary skill in the artwill appreciate that protocols other than TLSv1.2 may be used to achievethe necessary link security.

Typical necessary commands (or their equivalent) that are envisioned arethe proportional commands, “PullForward”, “BackUp”, “TurnLeft”, and“TurnRight” and fixed commands, “Stop”, “DownloadVehicleIdentification”,“UnlockLoadCompartment”, “ContactTerminal”, and “ResumeOperation”;proportional commands carry rate information and are used to move thevehicle locally at low rates of speed. The command “Stop” is issued insituations that require immediate AV halt. The command“DownloadVehicleIdentification” is intended for situations where vehicleinspection requires the vehicle produce documentation such as:identification (the motor carrier's name or trade name and the motorcarrier's Department of Transportation (DOT) registration number,manifest, proof of insurance, maintenance records, accident records,licenses, permits, planned route and actual route, etc.; thisinformation is downloaded to the controller's USB drive for review andstorage. The command “UnlockLoadCompartment” is used to perform vehicleload inspections. The command “ContactTerminal” is intended to notifythe vehicle's owner/operator that additional assistance is required. Thecommand “ResumeOperation” is intended to allow the AV continue itsoperation after interruption; however, no internal AV control may beapplied until enabled by receipt of this command. Those of ordinaryskill in the art will appreciate that design requirements, regulatoryrequirements, field experience, etc., may require commands be added,modified, and/or removed.

With reference now to FIG. 10, a diagram illustrating components of aLSS AV Override System Controller 700 mounted on the AV used to mitigateand/or prevent autonomous vehicle misuse and vehicle management isdepicted in accordance with a preferred embodiment of the presentinvention. The LSS AV Override System described herein communicatesdirectly with the LSS illuminator described in the paragraph above andcommunicates with the LSS Manual Controller described below. In thisillustrative example, the components organized into the followingsubsystems: processing, transmit chain, receive chain, user interfaceand dispatch interface; the subsystems may be appropriately separatedinto physically different enclosures with the transmit and receivechains located in one package mounted on top of the AV and the remainderin a more accessible location. Additionally, the components may beintegrated into existing AV sensors such as LIDAR, radar, GNSS, orultrasonic, etc; furthermore, significant anti-tampering characteristicsof the LSS AV Override System may be gained through the use ofintegrated sensors. e.g., if an integrated LSS/LIDAR sensor weretampered, the LIDAR system would also be downgraded and the system fail.Additionally, some components, such as receiver and/or transmitter, maybe integrated into the vehicle's running, braking, or emergencylighting. Those of ordinary skill in the art will appreciate that thehardware depicted in FIG. 10 may vary, e.g., other components may beused in the transmit and/or receive chain, or other subsystems.

The transmit chain is comprised of Oscillator 701 which generates thecarrier frequency, the Modulator 703 which modulates the carrier,Amplifier 705 which amplifies the signal, the Transmitter 707 whichemits the modulated beam 730 intended for the LSS Illuminator. Thereceive chain is comprised of the Receiver 715 which receives themodulated beam 732 from the LSS Illuminator, Signal Conditioner andAmplifier 713 which synchronizes to the incoming signal and amplifies tothe proper level, and Demodulator 711 which recovers the informationcontent from the modulated carrier wave and sends for processing. Theprocessing chain is comprised of Processor 709, and the RAM/NVRAM 717.The Processor 709 performs all processing tasks including generatingtransmit signals, interpreting receive signals, user input/outputfunctions, and interfacing to dispatch; it interfaces to RAM/NVRAM 717where program and data are stored, interfaces to USB Interface 721 whichprovides means to load necessary system data, reads User Input 719,drives Status Indicators 723, and drives the Dispatch Interface 725which insures all device (LSS Illuminator) usage is externally monitoredto preserve usage records, interfaces to the External Control Interface727 which allows the AV be controlled by an external device, andinterfaces to the AV Computer Interface 729 which sends overridecommands to the AV control system computer, or to a separate controlimplemented to bypasses the AV's controller and operates directly on themotor feed and braking mechanisms via the Emergency Override Interface728.

A high-accuracy GPS Receiver 720 and GPS Antenna 724 provide accurateLSS location data that is independent of the AV control system. LSSlocation data is used in conjunction with “Fence” commands received fromLSS electronic fence installations. As the vehicle approaches arestricted area marked with the LSS fence, the AV controller may benotified to avoid the restricted area. In the case the LSS AV OverrideSystem detects actual AV intrusion into a LSS electronic fenced area,the vehicle is reliably stopped by bypassing the AV's controller via theEmergency Override Interface 728, operating directly on the motor feedand braking mechanisms. Once the AV has been stopped using the EmergencyOverride Interface 728, it can only be restarted by law enforcement. LSSAV Override System location data can also be sent to the AV controlsystem to increase its reliability. To reduce misuse and increase routereliability, the Native AV Controller can transmit the route map to theLSS AV Override System via the AV Computer Interface 729 where the routeis continuously checked by the LSS Override System. Small routedeviations can be transmit back to the AV controller for correctionresulting in higher route reliability, whereas large route deviationswill result in activation of the Emergency Override Interface andsubsequent AV stop. Those of ordinary skill in the art will appreciatethat the LSS AV Override System and all interfaces to the AV must havesufficient physical and logical protection to prevent misuse and/ortampering; therefore, manufacturers should consider FIPS 140-2 Level 4certification or its equivalent.

With reference now to FIG. 8, a diagram illustrating components of a LSSilluminator 500 and FIG. 9, a diagram illustrating components of an LSSManual Controller 600, show significant similarities such that thehandheld LSS Illuminator and a LSS Manual Controller may be integratedinto a single package.

With reference now to FIG. 11, a block diagram of a LSS Override SystemController and Autonomous Vehicle Controller 800 showing therelationship and connections between the LSS Override System Controller801, the AV Controller and Support System 803, and the External ControlInterfaces 805 and 807. The LSS Override System Controller 801 ispurposefully shown above the AV Controller and Support System 803because it can override the AV Controller and Support System 803 whichmust respond to the direction of LSS Override System Controller 801. TheLSS Override System Controller 801 is fully explained in the descriptionof FIG. 10 above, the AV Controller and Support System 803 and theExternal Control Interfaces 805 and 807 are fully explained in thedescription of FIG. 2

With reference now to FIG. 12, a concept drawing of a driver-less AV 900having LSS Sensor 902 and Control Port 904 depicted in accordance with apreferred embodiment of the present invention. LSS Sensor 902 may be anindependent sensor, or may be integrated into the AV navigation sensorssuch as LIDAR, RADAR, camera or other; however, integrated sensors offerincreased anti-tampering security, and are therefore preferred. ControlPort 904 is depicted with attached Control Cable 912 and LSS ManualController 910; Control Port 904 is attached internally to the ExternalControl Interface 527 shown in FIG. 8. LSS Control Cable 912 and LSSManual Controller 910 are attached to provide local management of the AV900 after the AV has stopped. Upon connection of LSS Manual Controller910, all internal control functions are overridden, including remote AVcontrol via other pathways.

With reference now to FIG. 13 a concept drawing of a driver-less AV 900Ahaving LSS Sensor 902A and Control Port 904A depicted in accordance withan alternate embodiment of the present invention. LSS Sensor 904A may bean independent sensor, or may be integrated into the AV navigationsensors such as LIDAR, RADAR, camera or other; however, integratedsensors offer increased anti-tampering security, and are thereforepreferred. The LSS Manual Controller 920A communicates to the LSS Sensor902A via wireless signal and provides local management of the AV 900Aafter stopped. Upon establishment of LSS Manual Controller 910A control,all internal control functions are overridden, including remote AVcontrol via other pathways. Control Port 904A is unused in this example.

With reference now to FIG. 12 and FIG. 13, whether wired or wireless,the AV can be moved locally as necessary using the LSS ManualController; in terminal this can aid in vehicle maintenance, vehiclefueling for non-electric vehicles such as diesel or hydrogen fuels, andcharging for electric vehicles, load and unload tasks, in transit thiscan aid in mobile or Port of Entry weight inspections, and/or loadinspection. Additional the AV Controller can be used in terminal forfinal inspection to verify route information, and verify all requireddocumentation is present, available, and correct. Although a driver-lessAV was used in these examples, those of ordinary skill in the art willappreciate that the AV could be with driver present, with driverfacilities but no driver, or driver-less, i.e., no driver facilities, asthis will probably be the development sequence for fully autonomousdriver-less vehicles.

The descriptions of the present invention has been presented forpurposes of illustration and description, and is not intended to beexhaustive or limited to the invention in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art. The embodiment was chosen and described in order to bestexplain the principles of the invention, the practical application, andto enable others of ordinary skill in the art to understand theinvention for various embodiments with various modifications as aresuited to the particular use contemplated.

Definitions

AV Autonomous Vehicle, for the purposes of this invention, refers to SAEspecification J3016, Level 2 and higher vehicle. Federal Publiclyannounced standards developed by Information the United States federalgovernment for use in Processing computer systems by non-militarygovernment Standards agencies and government contractors. FIPS SeeFederal Information Processing Standards Global The standard genericterm for satellite navigation Navigation systems that provide autonomousgeo-spatial Satellite System positioning with global coverage. GlobalThe US Government's implementation of GNSS Positioning System GNSS SeeGlobal Navigation Satellite System GPS See Global Positioning System IASSee Intrusion Analysis Software Lawful Stop and Refers to a situationwhere law enforcement may Search legally request a vehicle to pull overand search (inspect) the vehicle LSS See Lawful Stop and Search LIDAR Anacronym for Light Detection and Ranging, which is a remote sensingmethod that uses pulsed laser light to perform range measurements; it isand for control and navigation for autonomous vehicles. NationalInstitute A United States government non-regulatory federal of Standardsand agency Department of Commerce; its mission is to Technology promoteUS. innovation and industrial competitiveness by advancing measurementscience, standards, and technology in ways that enhance economicsecurity and improve our quality of life. NIST See National Institute ofStandards and Technology SAE Society of Automotive Engineers V2I Vehicleto Infrastructure V2V Vehicle to Vehicle V2X V2I and V2V

What is claimed is:
 1. A Lawful Stop and Search (LSS) OverrideController for an autonomous vehicle, the controller comprising: a firstcommunication channel to a LSS Illuminator or a LSS Manual Controller; asecond communication channel to the LSS Manual Controller; a logicalcommand communications link coupled to the first and secondcommunication channels that employs a secure communication protocolconfigured to concurrently communicate to said LSS Illuminator and saidLSS Manual Controller; an AV Computer interface to an automated drivingsystem (ADS) controller providing default control of said autonomousvehicle; an Emergency Override Interface, bypassing said ADS, coupled toat least one of a drive motor system, a braking system, and a steeringsystem of said autonomous vehicle; a dispatch interface configured tocommunicate with said autonomous vehicle's dispatch; a memory configuredto securely store program code and a data set wherein the data setincludes: operational data, critical security parameters (CSPs), and aset of usage records; and a processor.
 2. The LSS Override Controller ofclaim 1, wherein said LSS Override Controller is logically distinct andindependent from said ADS controller and may assert unconditionalcontrol over said ADS controller via the AV Computer interface, and maybypass said ADS controller to assert unconditional control over at leastone of said vehicle steering, braking and propulsion systems via theEmergency Override Interface.
 3. The LSS Override Controller of claim 1,wherein said the first communication channel utilize at least one ofultrasonic, optical, and radio frequency energy and the secondcommunication channel utilize a direct wired connection.
 4. The LSSOverride Controller of claim 1, wherein the set of usage records containa minimum content including: a notification that a law enforcemententity has performed an LSS interdiction, a date, time, and location ofsaid interdiction, an identity and jurisdiction of said law enforcemententity and evidence of non-repudiation of message origin for saidinteraction.
 5. The LSS Override Controller of claim 1, wherein theprocessor is configured to record each interaction with the LSSIlluminator or the LSS Manual Controller within said set of usagerecords and later transmit via said dispatch interface a messagecomprising a plurality of said usage records and receive acknowledgmentthat said message was successfully received.
 6. The LSS Overridecontroller of claim 1, wherein said secure communication protocolperforms an identification and authentication of an entity using the LSSIlluminator or the LSS Manual Controller, and contingent on thedetermination said entity is an authorized member of law enforcement,said entity is granted access of the LSS override controller to assertcontrol over said autonomous vehicle.
 7. The LSS Override controller ofclaim 1, further comprising an external casing wherein said casingprovides a set of protections against unauthorized physical access tothe memory.
 8. The LSS Override controller of claim 7, wherein the setof protections includes at least one of, evidence of tampering,pick-resistant locks, and tamper-detection/response circuitry.
 9. TheLSS Override Controller of claim 1, wherein the CSPs includes at leastone of the following: cryptographic key, public key certificate,password, PIN, token, or biometric data.
 10. A lawful stop and search(LSS) Illuminator comprising: a command communications link configuredto communicate using a secure communication protocol to the LSS Overridecontroller via at least one of, a focused beam of ultrasonic, optical,or radio frequency energy; a dispatch interface configured tocommunicate with law enforcement dispatch; a memory configured tosecurely store program code and a data set wherein the data setincludes: operational data, critical security parameters (CSPs), and aset of usage records; and a processor.
 11. The LSS Illuminator of claim10, wherein the processor is configured to record each interaction withthe LSS Override Controller within said set of usage records and latertransmit via said dispatch interface a message comprising a plurality ofsaid usage records and receive acknowledgment that said message wassuccessfully received.
 12. The LSS Illuminator of claim 10, wherein saidset of usage records containing a minimum content including:notification that a law enforcement entity has performed a LSSinterdiction, a date, time, and location of said interdiction, theinterdicted vehicle ownership, and evidence of non-repudiation ofmessage receipt for said interaction.
 13. The LSS Illuminator of claim10, further comprising an external casing that renders the LSSIlluminator operable as a handheld device wherein said casing provides aset of protections against unauthorized physical access to the memory.14. The LSS Illuminator of claim 13, wherein the set of protectionsincludes at least one of, evidence of tampering, pick-resistant locks onall casing covers, and tamper-detection/response circuitry.
 15. The LSSIlluminator of claim 10, wherein the CSPs includes at least one of thefollowing: cryptographic key, public key certificate, password, PIN,token, or biometric data.
 16. A lawful stop and search (LSS) ManualController that comprises: a first communication channel to a LSSOverride Controller; a second communication channel to the LSS OverrideController; a logical command communications link coupled to the firstand second communication channels that employs a secure communicationprotocol configured to communicate to said to the LSS Overridecontroller; a dispatch interface configured to communicate with lawenforcement dispatch; a memory configured to securely store program codeand a data set wherein the data set including: operational data,critical security parameters (CSPs), and a set of usage records; and aprocessor.
 17. The LSS Manual Controller of claim 16, wherein said thefirst communication channel utilize at least one of ultrasonic, optical,and radio frequency energy and the second communication channel utilizea direct wired connection.
 18. The LSS Manual Controller of claim 16,wherein the processor is configured to record each interaction with theLSS Override Controller within said set of usage records and latertransmit via said dispatch interface a message comprising a plurality ofsaid usage records and receive acknowledgment that said message wassuccessfully received.
 19. The LSS Manual Controller of claim 16,wherein said set of usage records containing a minimum contentincluding: notification that a law enforcement entity has performed aLSS interdiction, a date, time, and location of said interdiction, theinterdicted vehicle ownership, and evidence of non-repudiation ofmessage receipt for said interaction.
 20. The LSS Manual Controller ofclaim 16, further comprising an external casing that renders the LSSManual Controller operable as a handheld device wherein said casingprovides a set of protections against unauthorized physical access tothe memory.
 21. The LSS Manual Controller of claim 20, wherein the setof protections includes at least one of, evidence of tampering,pick-resistant locks on all casing covers, and tamper-detection/responsecircuitry.
 22. The LSS Manual Controller of claim 14, wherein the CSPsincludes at least one of the following: cryptographic key, public keycertificate, password, PIN, token, or biometric data.